Requirements for High-Risk AI Systems

An AI system is considered high-risk when it is deployed in one of the areas defined in Annex III of the EU AI Act and significantly influences decisions there. Typical areas: • Human resources: Application screening, performance evaluation • Finance: Creditworthiness, insurance risks • Education: Admission, exam evaluation, learning support • Critical infrastructure: Energy, water, transport • Law enforcement: Risk assessment, evidence evaluation

Providers must create and maintain comprehensive technical documentation. This must include: • General description of the AI system • Detailed description of development processes • Information on training data and methods • Design and architecture specifications • Performance metrics and test procedures • Risk management documentation Documentation must be created before market placement and continuously updated.

A continuous risk management system must be implemented: 1. Identification of known and foreseeable risks 2. Estimation and evaluation of risks 3. Assessment based on market surveillance data 4. Appropriate risk mitigation measures The system must cover the entire lifecycle of the AI system – from development through deployment to decommissioning.

Before market placement, a conformity assessment must be carried out. For most high-risk systems, a self-assessment is sufficient – for biometric systems, an external body is required. The assessment includes: • Review of the quality management system • Review of technical documentation • Verification of risk management • Testing of accuracy and robustness • Granting of CE marking

The penalties are significant: • Up to €35 million or 7% of global annual turnover for prohibited practices • Up to €15 million or 3% for violations of high-risk requirements • Up to €7.5 million or 1.5% for providing incorrect information SMEs and start-ups receive more proportionate fines – the lower of the two options applies.